MySQL Vulnerabilities

Welcome to Security Alerts, an overview of recent Unix and open source security advisories.

In this column, we look at a problem with Perl's
safe mode; some serious vulnerabilities in MySQL; buffer overflows in
wget, tcpdump, Canna, and GTetrinet; and problems in lynx, mICQ, Sun
Cobalt RaQ 4 Server Appliances, xdvi, dvips, and Exim.

MySQL has several vulnerabilities that can be used to execute
arbitrary code or used in a denial-of-service attack against the
database server. These vulnerabilities include:

A buffer overflow in the code that handles COM_TABLE_DUMP can be used
in a denial-of-service attack. The buffer overflow is reported to
affect Linux, FreeBSD, and MS Windows systems.

There is a flaw in the password authentication system in MySQL that
makes it possible for an attacker to authenticate as another user in
no more than 32 attempts. The attacker must have a valid
account and can only attack accounts that have permission to log in
from the host they are on. A local user or a remote user in an
environment that allows remote root logins can gain full access to all
databases. There is also a buffer overflow in the password
authentication system.

The MySQL client is vulnerable to a buffer overflow when it reads rows
from the database. This vulnerability can be used in a denial-of-service attack against the client and may, under some circumstances, be
exploitable to execute code on the client machine.

It is recommended that users upgrade to MySQL 3.23.54 as soon as
possible. Any software that is linked against libmysql should also be
upgraded or recompiled.

Several problems have been reported in wget, a file retrieval utility
that uses FTP or HTTP to fetch files across a network. These
problems include a buffer overflow in the code that handles the URL of
the file to be retrieved, and a problem with the processing of FTP
server responses that can result, under some conditions, in arbitrary
local files being overwritten.

Users should watch their vendor for an updated package that repairs
this problem.

The Sun Cobalt RaQ 4 server appliances package, with the Security Hardening package
(RaQ4-SHP Release 1.x.x) installed, has a vulnerability that can be
exploited by a remote attacker to execute arbitrary code with root
permissions. The vulnerability is in a CGI application installed on
the server. It is reported that a script to automate exploitation of
this vulnerability is available.

It is recommended that users apply the update available from Sun as
soon as possible.

The kpathsea library, which is used by xdvi and dvips, calls system() in
an insecure manner. This may be exploitable using a carefully-crafted
DVI file to execute arbitrary commands with the permissions of the user
running xdvi or dvips (often the printer user account lp).

Users should watch their vendor for an updated version of the kpathsea
library and should recompile any applications that were statically
linked to the vulnerable version.

tcpdump is vulnerable to a remotely exploitable buffer overflow in the
code that handles BGP decoding. This buffer overflow can be used to
crash tcpdump and may under some conditions be exploited to execute
code with the permissions of the user running tcpdump (often root).

Users should contact their vendors for a repaired version of tcpdump
and should consider disabling it until it has been repaired.

The Exim message transfer agent has a vulnerability that can be
exploited by a local attacker who has access to the admin user of Exim
to gain root permissions. The admin user of Exim is set when the
software is compiled. A program to automate the exploitation of this
vulnerability has been released.

Canna, a server used to enable Japanese-language input, has a buffer
overflow that can be exploited to execute code with the permissions of the user running
Canna (usually bin). The buffer overflow is present in
all version of Canna through version 3.5b2. An additional
vulnerability can be exploited in a remote denial-of-service attack
and affects versions of Canna through 3.6.

Users should watch their vendor for updated packages which repair
these problems.

OpenLDAP2 is an open source version of Lightweight Directory Access
Protocol (LDAP) tools and servers. Buffer overflows have been found
in OpenLDAP2 that can be remotely exploited to execute arbitrary
commands on the server. Also, other locally-exploitable problems have
been found.

Users should watch their vendor for an update to OpenLDAP2 and apply
it as soon as it is available.